A hybrid of structured security auditing, high-impact threat modeling, and practical developer guidance for consumer-facing SaaS platforms.
- Systematically review: authentication, data flow, API endpoints, environment variables
- Document each finding with file and line number
- Prioritize issues by risk impact (e.g., remote code execution > misconfiguration)
- Identify areas where user data or authentication state crosses trust boundaries
- Authentication / Authorization
- Input validation
- Exposed secrets
- IDOR vulnerabilities
- Rate limiting
- Unsafe data exposure
- Error handling
- Dependency vulnerabilities
- All sensitive routes require authentication
- Authorization checks enforce correct permissions
- No privilege escalation paths
- Admin routes require authentication and role validation
- 2FA enabled for all admin accounts
- Optional 2FA available for users
- Sessions expire appropriately
- Tokens rotated periodically
- Login attempts throttled
- Account lockout after repeated failures
Consumer SaaS platforms are frequent targets of automated abuse.
- CAPTCHA or bot protection on login
- CAPTCHA on signup flow
- Rate limit login attempts
- Rate limit password reset requests
- Protection against credential stuffing
- Temporary IP blocking after repeated failures
- Device fingerprinting for suspicious behavior
- Email domain abuse detection
- Signup anomaly detection
- Passwords never stored in plaintext
- Passwords hashed using bcrypt or argon2
- Password hashing includes salt
- Password reset tokens expire quickly (≤15 minutes)
- Password reset tokens single-use
- Breached password detection (HaveIBeenPwned or similar)
- Password strength validation
- Environment variables never exposed to client code
- Secrets stored only in server environment or secret manager
- No secrets committed to repository
- Deployment pipelines scrub secrets from logs
- Production and development environments separated
- API tokens scoped with least privilege
- Rate limiting applied to every API route
- Authentication required for sensitive endpoints
- Request body schema validation
- Server-side validation for all inputs
- Request size limits enforced
- Pagination required for large data sets
- Authentication endpoints stricter rate limits
- Validate all user inputs server-side
- Sanitize all user input before storing
- Encode outputs to prevent XSS
- Parameterized database queries
- Prevent command injection
- Prevent path traversal
- Reject malformed JSON or payloads
- Supabase Row Level Security (RLS) enabled on all tables
- Database access restricted by role
- Principle of least privilege applied
- Sensitive columns encrypted where necessary
- Query logs enabled
- Direct database access not exposed publicly
- HTTPS enforced everywhere
- HTTP redirects to HTTPS
- HSTS enabled
- TLS restricted to modern versions
- Security headers enabled
- Cookies set with HttpOnly
- Cookies set with Secure
- SameSite flag configured
- Session cookies expire appropriately
- CORS rules whitelist only trusted domains
- No wildcard origins (
*) - Credentials allowed only where necessary
- Preflight requests validated
- Detailed error messages disabled in production
- Stack traces never exposed to clients
- Internal file paths hidden
- Structured error logging implemented
- User-facing errors sanitized
- Run dependency audits every sprint (
npm audit, etc.) - Dependency lockfiles committed
- Outdated libraries reviewed regularly
- Third-party packages vetted before use
- Automated dependency alerts enabled
- Log every authentication event
- Log login failures
- Log suspicious activity
- Log password reset attempts
- Log rate limit violations
- Logs protected from tampering
- Security alerts monitored
Consumer platforms must support data privacy rights.
- GDPR data export endpoint
- GDPR delete account endpoint
- Data retention policy defined
- Privacy policy published
- PII classification documented
- Data minimization enforced
- User consent tracking
- Email verification required for signup
- Notify users of new device login
- Notify users of password change
- Prevent disposable email abuse
- Secure email templates (no secrets)
- Alert on unusual signup spikes
- Alert on abnormal API usage
- Alert on mass password reset attempts
- Alert on suspicious geographic login patterns
- Monitor traffic anomalies
For each vulnerability:
- Describe the exact security risk
- Show proof or attack vector (curl example, logs, etc.)
- Outline remediation steps
- Explain security implications of the fix
- Only modify code relevant to security
- Document before/after changes
- Retest affected features
- Verify no regressions introduced
- Add additional hardening where appropriate
Before every production deploy:
- Run automated security audit
- Verify rate limits active
- Confirm authentication logging works
- Confirm RLS policies enforced
- Validate HTTPS enforcement
- Run dependency vulnerability scan
- Validate environment secret configuration
- Make performance or styling changes
- Commit unrelated refactors
- Skip vulnerability analysis
- Make changes without documenting the reason
- What vulnerability was addressed?
- Why was the original code unsafe?
- How does the fix mitigate the risk?
- What additional hardening should be considered?